[ovs-dev] [PATCH] pinctrl: Fix crash on buffered packets hmap double remove.

Lorenzo Bianconi lorenzo.bianconi at redhat.com
Mon Nov 12 15:04:20 UTC 2018


> 'destroy_buffered_packets()' removes the hmap node which was
> already removed by 'HMAP_FOR_EACH_POP()' producing following
> crash log:
> 
>     Invalid read of size 8
>         at 0x134EDB: hmap_remove (hmap.h:287)
>         by 0x134EDB: destroy_buffered_packets (pinctrl.c:237)
>         by 0x13AB3B: destroy_buffered_packets_map (pinctrl.c:246)
>         by 0x13AB3B: pinctrl_destroy (pinctrl.c:1804)
>         by 0x12C0CF: main (ovn-controller.c:916)
>     Address 0x8 is not stack'd, malloc'd or (recently) free'd
> 
> Could be captured by check-valgrind on the following test:
>     '2720. ovn -- IP packet buffering'
> 
> CC: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
> Fixes: d7abfe39cfd2 ("OVN: add buffering support for ip packets")
> Signed-off-by: Ilya Maximets <i.maximets at samsung.com>
> ---
>  ovn/controller/pinctrl.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/ovn/controller/pinctrl.c b/ovn/controller/pinctrl.c
> index e3ee516e4..21454ab47 100644
> --- a/ovn/controller/pinctrl.c
> +++ b/ovn/controller/pinctrl.c
> @@ -241,8 +241,8 @@ destroy_buffered_packets(struct buffered_packets *bp)
>  static void
>  destroy_buffered_packets_map(void)
>  {
> -    struct buffered_packets *bp;
> -    HMAP_FOR_EACH_POP (bp, hmap_node, &buffered_packets_map) {
> +    struct buffered_packets *bp, *next;
> +    HMAP_FOR_EACH_SAFE (bp, next, hmap_node, &buffered_packets_map) {
>          destroy_buffered_packets(bp);
>      }
>      hmap_destroy(&buffered_packets_map);
> -- 
> 2.17.1
> 

Acked-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>


More information about the dev mailing list